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We propose the idea of a Quantum Cheque Scheme, a cryptographic protocol in which any legiti¬ 
mate client of a trusted bank can issue a cheque, that cannot be counterfeited or altered in anyway, 
and can be verified by a bank or any of its branches. We formally define a Quantum Cheque and 
present the first Unconditionally Secure Quantum Cheque Scheme and show it to be secure against 
any no-signaling adversary. The proposed Quantum Cheque Scheme can been perceived as the 
quantum analog of Electronic Data Interchange, as an alternate for current e-Payment Gateways. 
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I. INTRODUCTION 

Replication of classical information is a significant nui¬ 
sance in copy-protection. Any physical entity created 
classically can be, in principle, copied. Currency bonds, 
printed on textile and paper, are no exception, and any 
adversary, given sufficient time and resources, can be 
able to counterfeit currency bonds. However, the quan¬ 
tum regime can circumvent this problem, exploiting the 
‘No Cloning Theorem’ [1], and pave way for unforgeable 
Quantum Currency that are impossible to counterfeit 
and can have the property of perfect security. 

The idea of Quantum Money was conceived by Wies- 
ner in 1969 Hig. While it inspired several fundamental 
ideas, it did not receive much attention for the next 40 
years, possibly due to the limitations of technology. It 
is only recently that, there has been a surge of interest 
in the possibility of exploiting the laws of quantum me¬ 
chanics to create unforgeable tokens for currency. While 
Wiesner’s original scheme was broken recently [U^, the 
idea of using quantum states to create unforgeable cur¬ 
rency persisted. Recent progress in the area have been 
made by Aaronson [7], who formally studied public key 
quantum money and showed its existence relative to a 
quantum oracle. In the same paper he also proposed a 
scheme, without an oracle, based on random stabilizer 
states. However, it was broken by Lutomirski et al. [8], 
within a year. Recently Farhi et al. [9], proposed a 
scheme for quantum money, using ideas from knot theory. 
Also Aaronson et al. m. proposed a scheme for quan¬ 
tum money from hidden subspaces. While the security 
of Aaronson et al.’s scheme can be proved using a black 
box security and non-black box security under plausible 
cryptographic assumptions, the security of Farhi et al.’s 
scheme is not known and analyzing it would require an¬ 
swering fundamental knot theory problems which has no 
known practical solutions. 

Another research direction in quantum currency is the 
invention of Quantum Coins, which aspires anonymity, 
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in addition to security against counterfeiters, owing its 
origin to the pioneering works of Mosca and Stebila m 
They proposed a scheme based on blind quantum com¬ 
putation that required a verifier to do an obfuscated ver¬ 
ification with the bank and learn only the validity of the 
quantum coin. This however is a private key protocol 
and requires communication with the bank. 

In this paper we propose the idea of Quantum Cheques 
and present a construction of an Quantum Cheque 
Scheme with Perfect Security against any No-Signaling 
adversary. Generally, in a Quantum Cheque Scheme, a 
trusted bank acts as a key generation center and pro¬ 
vides every account holder with a quantum analogue of 
a cheque book and can store relevant information about 
the cheque book secretly. Any account holder, who has 
a valid ’quantum cheque book’ can issue cheques that 
can be verified by the bank or any of its branches, with 
which the bank shares a classical communication chan¬ 
nel. We present the protocol in an idealized form assum¬ 
ing perfect state preparations, transmissions, and mea¬ 
surements, that can also be realized, efficiently, with few 
qubit systems, without compromising on the security. 

Given the active research with the promise to imple¬ 
ment long distance quantum communication networks 
[HHH, a quantum cheque scheme can be perceived 
as the quantum analog of Electronic Data Interchange 
(EDI), as an alternate for current e-Payment Gateways, 
used widely in e-commerce, that authorizes credit card 
payments, which rely on classical communication and 
computational assumptions for their security. While the 
present classical protocols, rely on time-stamping com¬ 
munications to ensure against double spending, a quan¬ 
tum protocol instinctually averts that problem, due to 
No-Cloning Theorem. Another major advantage of such 
quantum cheques will be the fact that they can be real¬ 
ized through physical devices using quantum memories 
[HHH], as well as can be used to stream in the quan¬ 
tum internet without the need for quantum memorv[I7). 
With physical devices, equipped with quantum memo¬ 
ries, one can imagine storing quantum states in their 
computers or smart cards to efficiently perform trans¬ 
actions in person or over the quantum internet. While, 
without Quantum Memory, one would require the pro¬ 
tocol to run in real time, i.e., the Bank prepares and se- 
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curely sends the ’quantum cheque book’ to the account 
holder, following which, the account holder (issuer) at 
once prepares the Quantum Cheque, presents it to the re¬ 
ceiver. The receiver then immediately relays the cheque 
to the Bank, who verifies its (in)validity right away. 

The paper is organized as follows. Section II discusses 
the cryptographic tools, required to realize the Quantum 
Cheque Scheme, namely. Quantum One Way Functions, 
Swap Testing Circuits, and Digital Signatures. Follow¬ 
ing that, in Section III, the Quantum Cheques are de¬ 
fined and an Unconditionally Secure Quantum Cheque 
Scheme is proposed therein. The security of the scheme 
is analyzed in Section IV. Section V concludes the paper, 
briefly summarizing the ideas. 


II. PRELIMINARIES 


B. Eredkin Gate: 

In the classical regime, comparing the equivalence of 
two bit strings is strightforward, however, due to the no¬ 
cloning theorem, d/ might not be able to produce the ex¬ 
act \'il)) state. To compare states \tp) and IV'Oj utilize 
the Fredkin gate (C-swap gate). We prepare an ancilla 
qubit and perform a controlled swap test on two 

state \'ij)) and If IV”) = W)^ Hi® ancilla qubit, after 
performing a Hadamard operator yields |0), on measuring 
on a computational basis, and is said to pass the swap 
test. For (V'lV’O ^ <^) Hi® ancilla qubit, after perform¬ 
ing the necessary Hadamard Gates, upon measurement 
passes the test with probability , and fails the test 
with probability ° . Evidently, the swap test always 
passes for the same inputs, and sometimes fails if they are 
different. By repeating the swap test, one can amplify its 
efficiency. 


A. Quantum One Way Functions: 


For the present scheme one needs a limited-utility 
quantum one way function na [11, based on the fun¬ 
damental properties of quantum system, where unlike 
classical bits, qubits can exist in superpositions. An 
arbitrary quantum state |$) of a qubit resides in the 
Hilbert space C and can be written as, |$) = a |0)-|-,d |1), 
where a,/3 € C, are the probability amplitudes, satisfy¬ 
ing |ap -I- |/3p = 1 and |0) and |1) form an orthonormal 
basis. The distance between two qubit states \4>) and \(j)') 
is defined as — \{(()\(j)')\^. Using volumetric analysis, 
it may be seen that there exists n qubit states 
such that < S for k ^ k'. Buhrman et al. 

[20], showed for S = 0.9, the size of the set can be 2*^^^"^. 

A quantum one way function is defined as, 

: fc X |0)®" ^ \^Pk) , 

where k € {0,1}* and \ipk) is a n—qubit quantum state, 
such that, 

• is easy to compute, i.e., there exists a 
polynomial-time algorithm that can evaluate 
'^{k, lO)®”) and outputs I'i/'fe), 

• is hard to invert, i.e., given |^fc), it is difficult to 
compute k 

At this point, it may be noted that, this construc¬ 
tion can be realized in agreement with Holevo’s theo¬ 
rem, which limits the amount of classical information 
that can be extracted from a quantum state |21| . For 
a binary string, A:, of length L, and C copies of |'0fc), one 
can only learn almost Cn bits of information. By having 
L » Cn, one could achieve a one way function, that is 
impossible to invert. 
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FIG. 1. depicts a circuit for the Fredkin Gate that non- 
destructively compares quantum states ip and ■(/)', with an 
additional ancilla qubit 


C. Digital Signatures: 

A digital signature scheme, H, is a 6-tuple 
(M, E, U, Gen, Sign, Vrfy), where, 

• M is the finite set of valid messages, E is the finite 
set of valid signatures, and U is the finite set of 
users. 

• The key-generation algorithm, Gen, takes in a se¬ 
curity parameter 1^, and outputs the Sign, Vrfy 
algorithms and the public parameters. 

• The signing algorithm, Sign, is a mapping. Sign : 
M xU 

• The verification algorithm, Vrfy, is a mapping, 
Vrfy : M xYx U ^ {True, False}. 

It is required that, for every {Sign, Vrfy) Gen{l^), 
for all k, and m G M, and users i and j, it holds that 

Vrfyj{nri, Signi{m),Ui) =True 

Informally, a digital signature scheme, H, must satisfy 
the following security conditions 
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1. Unforgeability: Except with a negligible (under a 
polynomial factor) probability, it should be impos¬ 
sible for an adversary to produce a valid signature 

2. Non-repudiation: Except with a negligible (under 
a polynomial factor) probability, the signer should 
not be able disavow a legitimate signature. 

Here, we do not discuss explicit constructions of digital 
signatures in detail, and instead use an unconditionally 
secure digital signature scheme, H = {Gen, Sign, Vrfy) 
as a black box. Suitable constructions of an uncondition¬ 
ally secure classical digital signature using multivariate 
polynomials have been proposed by Hanoka et al. [22] . 
Chuam and Roijakkers [53], where they assume the keys 
are prepared by a trusted third party. A quantum dig¬ 
ital signature scheme have been given by Chuang and 
Gottesman [mils]. 

III. QUANTUM CHEQUES 

A. Definition of a Quantnm Cheque Scheme: 

Ideally, a cheque is expected to have the following prop¬ 
erties, 

• A trusted bank or any of its branches must be able 
to verify the authenticity of a cheque. 

• An issuer, after issuing a cheque, must not be able 
to disavow issuing it. 

• No adversary must be able to counterfeit a cheque 
under some issuer’s name or use a cheque more than 
once to withdraw money. 

Informally, a Quantum Cheque Scheme consists of 
three algorithms, 

• Gen, which takes as input a security parameter 
and probabilistically generates a ’cheque book’ and 
key for the issuer. 

• Sign, which takes as input the issuer’s key and 
amount to be signed, and produces a quantum state 
X called a Cheque. (This state x is an ordered pair 
{id,$,p$), where id and $ are classical description 
of the issuer’s identity and amount signed respec¬ 
tively, and is a quantum cheque state.) 

• Verify, which takes in as input the key, and the 
alleged cheque x and decides its (in)validity. 

The Scheme is said to have a completeness error e, if 
V valid cheques Xj 

Pr[Verify{x) accepts] > 1 — e. 

The Scheme is said to have a soundness error <5, if V 
counterfeiters C, 

Pr[X'\X ^0 -.X' ^ C{X)] < 6, 


where X = {xi;X 2 , • • • ,Xq}^ C is a counterfeiter that 
Counterfeits a cheque (formally defined later ) that out¬ 
puts X' = {xijX2j ■ ■ ■ )Xq'}) that Verify accepts, and 0 
denotes an empty set. 

B. The Quantum Cheque Scheme: 

For purposes of brevity, we introduce three parties, 
Alice, Abby and Bank to describe the scheme. The Bank 
can have several branches and can be thought of as a 
set of parties connected by a (secure) classical channel 
with the main branch. The main branch is denoted just 
as Bank in the rest of the paper. Only the Bank is a 
trusted party in the protocol, and not necessarily the 
branches. Alice plays the role of the customer, who issues 
the cheque to Abby, the vendor. Abby then submits it 
to the Bank (or any of its branches), to encash. The 
Bank (or any of its branches) verifies the (in)validity of 
the cheque. In the protocol, we only assume Alice and 
Bank are honest. Any other player can be dishonest and 
adversarial. 

Gen: Alice and the Bank create a shared key k. This 
has to be done only once and can be efficiently realized 
by using, for example, the BB84 Protocol or simply by 
Alice going to the Bank physically. 

Alice and the Bank also agree on an informa¬ 
tion theoretically secure digital signature scheme B = 
{Gen, Sign, Vrfy), and Alice submits her public key, pk, 
to the Bank and secretly stores her Private Key, sk. 

The Bank prepares a string of I GHZ states. 



with I < i < I and corresponding unique serial number 
s G {0,1}" and gives two of the three particles (entan¬ 
gled qubits) from every GHZ triplet state and the serial 
number to Alice (via a secure channel), and stores the 
third particle (entangled qubit) secretly along with other 
details in a private database. For conciseness, we adopt 
the notation to denote a set(string) of 

states, ,\^^‘^'')ghz ’ • ■ ■ ’through¬ 

out the rest of the paper. 

Alice now holds {id,pk, sk, k, s,{\(j)^^'>) 

and the Bank holds {id,pk, k, s, {|(^^*^)^}i=i:i). 

Sign: To Sign a cheque worth amount M, Alice gen¬ 
erates a random number r •(— and prepares a 

n-qubit state, 

\ipaiice) = f{k\\id\\r\\M), 

where / : {0,1}* x |0)®” —)■ |^) is a quantum one 
way function, k is the secret key otherwise shared only 
between Alice and Bank, id is the identity of Alice and 
x\\y represents concatenation of two bit-strings x and y. 
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Alice also prepares I states { )}i=ia corresponding 


to the amount M using the one way function g : {0,1}* x 
|0) ^ \^p), as 


^m) =5(^11^11*) 


for all i, s.t. 1 < i < L 

To create the cheque, Alice uses one of her entangled 
qubits, (with serial number s) to encode 

as follows [24l. 


<Pm 


To encode the *—th qubit. 


Vm 


= Ui |0) + /3i |1) with 


the i—th GHZ state, Alice combines 


Vm 


and one of her 


entangled qubits from the i—th pair, and per¬ 

forms a Bell measurement on the two. More concretely, 
the four particle entangled state can be described as 



\^)ghz 


“2 1^0) AaS + 

+ («* 100)^25-/3.111)^^5 

100)2125 + A-iB 
+ 1$-)^^ (/3.|00)212b-«*|11)a25} 


( 1 ) 


where |4>+), |'1>“), |$+), |'I'“) denotes one of the four 
Bell states, that is then measured by Alice. 

If Alice’s result, from equation 0> is |4'+) or |4' ), 
the Bank’s density matrix of its GHZ particle reads 


PB — \oii\ 10)55 ( 0 | -b |/ 3 i| | 1 )bb( 1 | 


( 2 ) 


while if Alice’s measurement outcome is |$+) or |$ ), 
the Bank’s density matrix of its GHZ particle reads 


P5 = |AP|0)5B(0| + kni)B5(l| (3) 


Following that, Alice performs a suitable gate opera¬ 
tion (Pauli matrix) based on the observed Bell State as 
follows, 

14-+) |4'-)^crz 

j$+) —>■ ax i‘I’~) ctf 


Now, the information of has been split between 

|(/)h))A 2 and Based on the observed Bell State, 

Alice performs a suitable error correction (Pauli Matrix) 
on that she posses. This encoding procedure is 


carried out I times for each of the { 

Alice also signs the serial number s as cr •<— SigUskis). 
Alice finally produces a Quantum Cheque 


X = {id,s,r,a,M,{ (/)h)\ }i=i:i,\tpaiice)) 
' A 2 


and gives it to Abby. 


Verify: Abby when produces the Quantum Cheque 
X = {id,s,r,a,M,{\(j)^’-'i)^Ji=i.,i,\4:aUce)) at any of the 
valid branches of the bank, the branch communicates 
(securely) with the Bank’s main branch, and checks the 
validity of the {id, s) pair and runs a verification using 
yTfypk{o', s). If {id,s) and a is invalid, the branch de¬ 
stroys the cheque and aborts. Else, the respective branch 
continues with the verification. 

The main branch now performs a measurement, in the 
Hadamard basis, on its copy of |(/)) 5 , to obtain outcomes 
|-|-) or |—) and communicates (securely) the results via 
a classical channel to the appropriate Branch. Based on 
the outcome, the Branch performs the following Pauli 

Matrix on | </)(*) )^^, to recover 

1 +) I |-) ^ O'Z 



This is done I times for each of }.=!:/, to re¬ 
cover { The Bank computes { = 

{g{r\\M\\i)}i^i,i and performs a swap test on each state 
{ and { -iPm)}- 


The Bank also computes IV’aiice) = /(^IMIklk) and 
again performs a non-destructive swap test on states 
l^ahce) and Ikzzce)- 

The Bank (or branch) accepts the cheque if both 
the swap tests pass, i.e., if {ipaiiceWaUce) ^ and 


— ^ 2 }i=i:h where ki and K 2 are the thresh¬ 
olding constants, that serve as security parameters deter¬ 
mined by the bank. The Branch rejects and aborts the 
transaction otherwise, and also destroys the cheque. 


IV. SECURITY OF THE QUANTUM CHEQUE 
SCHEME 

A. Impossibility of Counterfeiting: 

For purposes of contradiction, suppose there exists an 
adversary A that breaks the proposed Quantum Cheque 
Scheme, X. Let x ^ denote the experi¬ 

ment, 

{params) G- Gen(l^),x ^ {id,pkid) 

where params are the parameters generated by the algo¬ 
rithm Gen{-), k the security parameter and A is allowed 
polynomially bounded number of queries to its signing 
oracle, Sign{-), for a signer id. Let {Mi, M 2 ... M^} be 
the amounts A queries the signing oracle in a particular 
experiment, to get Quantum Cheques (xij X2, • ■ •, X<?} re¬ 
spectively. 

Let Counterfeit be the event, 

{Verifyix) = 1) A x ^ Xi,X 2 ,---,Xq 

We define, 

SucCj\,x = Pt\x' ^ Exptx,x{^^) ■ Counterfeit^ 
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FIG. 2. (A) Circuit used for signing a Quantum Cheque by Alice, (B) The Quantum Cheque, (C) Circuit used for verifying 
the Quantum Cheque by the Bank 


For the scheme X to be unconditionally secure, 
Succ^^x must be negligible for any adversary. A, with 
unbounded computational resources and time where A is 
only limited by physical laws. 

An unknown quantum state Itp) cannot be perfectly 
cloned, as known from the no cloning theorem. Imperfect 
cloning as shown by Buzek and Hillary |25j . where an 
algorithm that takes ■i/' as input and outputs two qubits 
such that the reduced density matrix of either output 
qubit, p, satisfies {tp\p\ip) = 5/6. This was later proved to 
be optimal nanz]. By having the security parameter n, 
used by the bank for the swap tests, such that n > 0.91, it 
can be made impossible for any adversary to copy states 
and reuse the same cheque more than once. 


It must be noted, an adversary, that successfully forges 
a new cheque for an id, would require the knowledge 
of the (classical) secret key, k, corresponding to id. 
However, even if the adversary has access to q differ¬ 
ent cheques with n qubits per cheque, signed by a key 
k G {0,1}'^, Holevo’s theorem limits the amount of clas¬ 
sical information that can be extracted from a quantum 
state [H]. By having L >> qn, it can be made im¬ 
possible for an adversary to extract relevant information 
about the secret key, and can only guess the key with 
probability P < 2-(0(i)-9n). 

Also, the fact that the adversary does not have access 
to the required pairs of GHZ states, that are otherwise 
shared only among a trusted Bank and the issuer, it is 
impossible for an adversary to produce a cheque x that 
would be verified by a Bank, due to the fact that entan¬ 


glement is monogamous P5H5T| and it would be impos¬ 
sible to produce states { This can be traced 

back to the unconditional security of Hillary et al.’s [23] 


seminal work on quantum secret sharing. 

The only remaining strategy for an adversary, that 
has access to q cheques {xi; X 2 • • ■ Xg}) is to per¬ 
form some unitary operation to at least one of the 
cheques, Xj modify it and produce a tuple x' = 

such that x' i 

{Xi;X 2 • ■ • X?} and Verify accepts x\ where M' ^ M 
and 3j, s.t., !(/’(■’)) and ^ IV'Aiice) 

For purposes of contradiction, suppose the ad¬ 
versary, A successfully modihes a cheque x = 
(Id, s,r, cr,M, |?/AZice)) to produce x' = 

{id, s', r', a', M', li^Aiice))■ 

Basically since he cannot forge new cheques (due to 
reasons mentioned earlier), he can only manipulate the 
qubits stored in the different registers of the quantum 
cheques he has access to, up to an unbounded number of 
Unitary operations. Clearly if M' ^ M or r' ^ r, then 
the adversary at least needs to produce a correspond¬ 
ing signature state \'4’aiice)j which in turn would imply 
the Quantum One Way Function is not secure, and that 
happens w.p. < Another strategy for an 

adversary would be to not modify the signature state, 
but the entangled qubits using only local operations on 
the adversaries local system. 

However, it can be seen for an entangled state, say 
|v[/) = a|00) -|- /3|11) represented by p = Idt) (d>|, and 
given access to only one qubit, pa = Tri,{pab) , if it were 
possible to modify that to produce |'k') = a' |00)-|-/3' |11) 
for a specific value of (a',/3'), it would imply signaling. 
This is because the adversary can do a local operations 
and set the values of a' and /3' to \/l — e and y/e (or 
vice versa) to send a message bit 0 (or 1), with a party 
with whom he shares entanglement with, faster than the 




































































6 


speed of light. 

So, any A that can Counterfeit, can violate the No- 
Signaling Principle or breaks the QOWF. Hence as long 
as the No-Signaling Principle holds, the Succa,x rnust 
be < 

B. Impossibility of Non-Repudiation by Signatory: 

For purposes of contradiction, suppose there exists an 
issuer, A, which can repudiate a quantum cheque issued 
by it earlier. Then we can construct an algorithm B 
that can break the unconditionally secure digital signa¬ 
ture scheme H and violate the property of nonrepudia¬ 
tion. 

This is straightforward to see, where B allows 
A to access the Sign Oracle and after polynomi- 
ally many queries, B requests A a cheque % = 

(id, s,r, tT,M, and a (possibly zero 

knowledge) proof, P, of ^’s capacity to repudiate the 
cheque. B then simply produces (s,(t) as a signature 
and the proof, P, as a challenge to the property of the 
non-repudiation of the claimed Unconditionally Secure 
Signature (USS) Scheme, H. However, this leads to a 
contradiction to the assumption that H is an uncondi¬ 
tionally secure scheme. 

Here only a proof sketch is given. To analyze the secu¬ 
rity of the scheme to its full glory, is left for future study 

[^[3S]. 

V. CONCLUSION 

To conclude, we have put forward here, the idea of 
utilizing quantum states to fabricate currency bonds, in 


form of quantum cheques and presented the first con¬ 
struction for an unconditionally secure quantum cheque 
scheme, where a bank and its client share GHZ states and 
a classical bit string as a secret key. The client can issue 
quantum cheques, y, and these quantum states can be 
physically stored in a quantum memory or transmitted 
in the anticipated quantum internet without the need 
for long term storage of qubits. The bank, or any of 
its branches that are connected by a classical channel, 
can verify the (in)validity of an alleged quantum cheque. 
The proposed scheme is claimed to be unconditionally se¬ 
cure based on fundamental laws of quantum information 
- Holevo’s Theorem and the No-Signaling Theorem. Also 
the fact that it is impossible to clone quantum states pre¬ 
vents replication of quantum cheques for a utility gain of 
an adversary. Such cheques are expected to play a piv¬ 
otal role in the much anticipated quantum internet as 
payment gateways and can also be used in a consumerist 
market where the quantum states can be stored in quan¬ 
tum memories. 
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